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O | Abstract 

^ In this paper, we consider the problem of synthesizing low-complexity controllers 

for incrementally stable switched systems. For that purpose, we establish a new 
approximation result for the computation of symbolic models that are approxi- 
mately bisimilar to a given switched system. The main advantage over existing 

i 1 results is that it allows us to design naturally quantized switching controllers 

for safety or reachability specifications; these can be pre-computed offline and 
therefore the online execution time is reduced. Then, we present a technique 
^ to reduce the memory needed to store the control law by borrowing ideas from 

O algebraic decision diagrams for compact function representation and by exploit- 

ing the non-determinism of the synthesized controllers. We show the merits of 
our approach by applying it to a simple model of temperature regulation in a 
building. 
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The use of discrete abstractions or symbolic models has become quite popular 
for hybrid systems design (see e.g. [TJ HJ GH HI [S] ) . In particular, several recent 
works have focused on the use of symbolic models related to the original system 
p% by approximate equivalence relationships (approximate bisimulations [51 [7]; or 

^ approximate alternating bisimulation relations 019]) which give more flexibility 

in the abstraction process by allowing the observed behaviors of the symbolic 
model and of the original system to be different provided they remain close. 
These approximate behavioral relationships have enabled the development of 
new abstraction-based controller synthesis techniques (TU1 HJ . 

In this paper, we go one step further by pursuing the goal of synthesizing 
controllers of lower complexity with shorter execution time and more efficient 
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memory usage for their encoding. For that purpose, we establish a new approx- 
imation result for the computation of symbolic models that arc approximately 
bisimilar to a given incrementally stable switched system. This result slightly 
differs from the original result presented by [7| and this difference is fundamental 
for the synthesis of controllers with lower complexity. Indeed, the combination 
of this new result with synthesis techniques for safety or reachability specifica- 
tions presented in yields quantized switching controllers that can be entirely 
pre-computed offline. The online execution time is then greatly reduced in com- 
parison to controllers obtained using the previous existing approximation result. 
We then consider the problem of the representation of the control law with the 
goal of reducing the memory needed for its storage. This is done by using ideas 
from algebraic decision diagrams (see e.g. [T5]) for compact function representa- 
tion. Also, the non-determinism of the synthesized controllers can be exploited 
to further simplify the representation of the control law. Finally, we apply 
our approach to the synthesis of controllers for a simple model of temperature 
regulation in a building. The results on the synthesis of safety controllers ap- 
peared in preliminary form in the conference paper [13] . those on reachability 
controllers are new. 

2. Symbolic Models for Switched Systems 

In this section, we present an approach for the computation of symbolic 
models (i.e. discrete abstractions) for a class of switched systems. This problem 
has been already considered by [7]. In the following, we present a slightly 
different abstraction result that will allow us to synthesize controllers with lower 
complexity. 

2.1. Switched systems 

In this paper, we consider a class of switched systems of the form: 

E : x(t) = ip (t) (x(i)), x(t) g R n , p(i) G P 

where P is a finite set of modes. We will assume that the switched system E 
is incrementally globally uniformly asymptotically stable (<5-GUAS, [H]). Intu- 
itively, a switched system is <5-GUAS if the distance between any two trajectories 
associated with the same switching signal p, but with different initial states, con- 
verges asymptotically to 0. Incremental stability of a switched system can be 
characterized using Lyapunov functions [JJ. 

Definition 1. A smooth function V : 1" x I" -> K + is a common 5-GUAS 
Lyapunov function for E if there exist /Coo /unction^] a, a and a real number 
k > such that for all R", for all p G P: 

a(\\x - y\\) < V(x,y) < a(\\x - y\\); 



A continuous function 7 : M + — > M + is said to belong to class fC^c if it is strictly increasing, 
7(0) = and 7(r) — ¥ 00 when r — > 00. 
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It can be shown that the existence of a common <5-GUAS Lyapunov function 
ensures that the switched system E is (5-GUAS. 

We now introduce the class of transition systems which will serve as a com- 
mon modeling framework for switched systems and symbolic models. 

Definition 2. A transition system T — (X, U, S, Y, O) consists of: 

• a set of states X ; 

• a set of inputs U ; 

• a (set-valued) transition map S : X x U — > 2 X ; 

• a set of outputs Y ; 

• and an output map O : X — > Y . 

T is metric if the set of outputs Y is equipped with a metric d. If the set of 
states X and inputs U are finite or countable, T is said symbolic or discrete. 

An input u £ U belongs to the set of enabled inputs at state x, denoted 
Enab(x), if S(x,u) ^ 0. If Enab(x) ^ 0, then the state x is said to be non- 
blocking, otherwise it said to be blocking. The system is said to be non-blocking 
if all states are non-blocking. If for all x £ X and for all u £ Enab(a;), S(x,u) 
has 1 element then the transition system is said to be deterministic. 

A state trajectory of T is a finite or infinite sequence of states and inputs, 
{(x l , u l )\ i = 0, . . . , N} (we can have N = +oo) where x l+1 £ S(x z , u l ) for all 
i = 0, . . . , N — 1. The associated output trajectory is the sequence of outputs 
{y l \ i = 0, . . . , N} where y l = 0(x l ) for alH = 0, . . . , N. 

Given a switched system E and a parameter t > 0, we define a transition 
system T T (S) that describes trajectories of E of duration r. This can be seen as 
a time sampling process, which is natural when the switching in E is to be deter- 
mined by a periodic controller of period t. Formally, T T (E) = (X\, U, Si, Y, Oi) 
where the set of states is X\ = W 1 ; the set of inputs is the set of modes U = P; 
the deterministic transition map is given by x[ = Si(xi,p) if and only if 

x[ = x(t), where x(f) = / p (x(f)), x(0) = Xx, t£ [0,t]; 

the set of outputs is Y = R n ; and the observation map 0\ is the identity 
map over R n . T T (E) is non-blocking, deterministic and metric when the set of 
observations Y = K™ is equipped with the Euclidean norm. 

2.2. Symbolic models 

In the following, we present a method to compute discrete abstractions for 
T T (E). For that purpose, we consider approximate equivalence relationships 
for transition systems defined by approximate bisimulation relations introduced 
in [H]. 



3 



Definition 3. Let 7$ = (Xi,U,Si,Y,Oi), i — 1,2, be metric transition systems 
with the same sets of inputs U and outputs Y equipped with the metric d. Let 
e > 0, a relation 1Z £ C X% x X 2 is called an e-approximate bisimulation relation 
between 7\ and T 2 , if for all (xi,x 2 ) G TZ e : 

1. d(0 1 {x 1 ),0 2 (x 2 )) <e, 

2. Vu G Enabi(xi) , \fx[ g 6>i(xi,u) ; € i5>2(£2,u) suc/i that (x[,x 2 ) £ 7£ e - 

3. Vw € Enab 2 (x 2 ), Vx 2 G 6>2(a;2,u), Ba;^ £ 6>i(a;i,u) smc/i that (x[,x' 2 ) £ 7£ e - 

and T 2 are approximately bisimilar with precision e ( denoted 7\ ^ £ T 2 ), 
if there exists 1Z £ , an e-approximate bisimulation relation between T\ and T 2 , 
such that for all x\ G X\, there exists x 2 G X 2 such that (xi,x 2 ) G TZ e , and 
conversely. 

If T\ is a system we want to control and T 2 is a simpler system that we 
want to use for controller synthesis, then T 2 is called an approximately bisimilar 
abstraction of T\. 

We briefly describe an approach similar to that presented in [7] for com- 
puting approximately bisimilar discrete abstractions of T r (E). We start by 
approximating the set of states X\ = K." by a lattice: 

Qi = ki 7=3 ki G Z = 1, . . . , 

\ n 



where qi is the i-th coordinate of q and 77 > is a state space discretization 
parameter. We associate a quantizer Q n : W l — > [R™] ?) defined as follows q — 
Q v (x) if and only if 

V* = l,...,n, <ft-^ <Xi <Qi + ^fe- 
lt is easy to check that for all x G K™, \\Q v (x) — x\\ < r\. Given a subset X C R" 
we denote Q V (X) = {Q v (x)\x G X}. 

We can then define the abstraction of T T (E) as the transition system T Tj7) (E) = 
(X 2 , U, S 2 ,Y, 2 ), where the set of states is X 2 — [R™], ; ; the set of labels remains 
the same U = P; the transition relation is essentially obtained by quantizing 
the transition relation of T T (E): 

\fx 2 G pR B ]„, Vp G P, S 2 {x 2 ,p) = Q v {S 1 {x 2 ,p))) 

the set of outputs remains the same Y = K n ; and the observation map 2 is 
given by 2 (q) = q. Note that the transition system T T , ?) (E) is discrete since 
its sets of states and actions are respectively countable and finite. Moreover, it 
is non-blocking, deterministic and metric when the set of observations Y = 1" 
is equipped with the Euclidean norm. 

The approximate bisimilarity of T T (£) and T T ?) (E) is related to the incre- 
mental stability of switched system £. In the following, we shall assume that 
there exists a common (5-GUAS Lyapunov function V for E. We need to make 
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the supplementary assumption on the (5-GUAS Lyapunov function that there 
exists a /Coo function 7 such that for all Xx,x 2 ,y\,y 2 G R n 

\V{x u x 2 ) - V{ yi ,y 2 )\ < 7(||a;i -ViW) +l{\\x2 - (1) 

We can show that this assumption is not restrictive provided V is smooth and 
we are interested in the dynamics of £ on a compact subset of R™, which is 
often the case in practice. 

We are now able to present a new approximation result for determining an 
approximate bisimulation relation between T T (£) and T T)?7 (£): 

Theorem 1. Consider a switched system £, time and state space sampling 
parameters r, 77 > and a desired precision e > 0. If there exists a common 
8-GUAS Lyapunov function V for £ such that equation holds and 

z>v + *- 1 (l^;'y(v)) (2) 

then 

K e = {(x u x 2 ) eX 1 xX 2 \ V(Qr,(xi),x 2 ) < a(e - r?)} 

is an e- approximate bisimulation relation between T r (£) and T Ti?J (£). Moreover, 
T r (£)~ e T T , n (£). 

Proof. Let (xi,x 2 ) G TZ 6 , then 

\\%i ~x 2 \\ < \\Qr,(xi) - x 2 \\ +rj 

< a' 1 (V(Q n (xi),x 2 ))+rj 

< aT 1 (a(e — n)) + j] = e. 

Thus, the first condition of Definition [3] holds. Let us remark that Enabi(xi) = 
Enab2(x2) = P and since T T (£) and T T)?? (£) are deterministic, the second and 
third conditions of Definition [3] are equivalent. Then, let p G P, let x[ = 
Si(x\,p) and x' 2 = S 2 (x 2 ,p) then using the properties of (5-GUAS Lyapunov 
function V we obtain 

V(Q„K),4) = ViQn&ixupfiMS^p))) 

< V(S 1 (x 1 ,p),S 1 (x 2 ,p)) + 2 7 (r 1 ) 

< e- KT V{x ll x 2 ) + 2 1 {r ] ) 

< e- KT (V(Q v (x 1 ),x 2 )+ 1 (ri)) + 2j(T 1 ) 

< e- Kr a(e - 77) + (2 + e- Kr ) 7 (77) 

< a{e — r/) 

by equation It follows that (x' 1: x 2 ) G 7Z E which is consequently an e- 

approximate bisimulation relation between T T (£) and T T „(£). Now, let X\ G 
R n and let x 2 G [K™]t, given by x 2 = Q v (xi). Then, V{Q r] {xij, x 2 ) — and 
(xi, x 2 ) G lZ e . Conversely, let x 2 G [R™]r/ and let x\ G W 1 given by x\ = x 2 , let 
us remark that Q v (xi) — x 2 then V(Q v (xi),x 2 ) — and (x\,x 2 ) G lZ e . Hence, 
it follows that T T (£) ~ s T T>7) (£). ■ 
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We would like to point out that for given r > and e > 0, it is always 
possible to find 77 > such that equation |2]) holds. Hence, it is possible for 
any time sampling parameter r > to compute symbolic models for switched 
systems of arbitrary precision e > by choosing a sufficiently small state space 
sampling parameter r\ > 0. 

We would like to emphasize the differences between Theorem [T] and the orig- 
inal approximation result presented in [7J. The computation of the abstractions 
are essentially the same. The main difference lies in the expression of the ap- 
proximate bisimulation relation: (11,0:2) G T^-e if and only if V(xx,X2) < a(s) 
in [7J, instead of V(Q n [x\), x 2 ) < a(e — rj) in Theorcm[T] This difference is fun- 
damental because it will allow us to synthesize quantized controllers. It should 
also be noted that the relations to be satisfied by the abstraction parameters, 
r, rj and e are different: for identical precision and time sampling parameters 
Theorem [T] generally requires a finer state sampling parameter than the results 
presented in [7J. 

In the remainder of the paper, we consider a switched system E with time 
and state space sampling parameters r and rj. We shall work with the transi- 
tion systems T T (E) and T TjJJ (E) and we shall assume that the assumptions of 
Theorem [l] hold. We will denote for x € R n , K e (x) = {q G [R n } v \ (x,q) G K e }. 
We will also use the relation 

K e = {(q, q') G n x [R n ] v \ V(q, q') < a(e - rj)} 

and we denote for q G [M n ] n , K s (q) = {q' G [R n ] v \ (q,q') G TZ £ }. Let us remark 
that for all x G E™, ^ £ (x) = H £ {Q n {x)). 

3. Synthesis of Quantized Switching Controllers 

In this section, we present an approach for synthesizing quantized switching 
controllers for safety or reachability specifications. It is based on the use of 
Theorem [l] combined with controller synthesis techniques presented in [TT]. We 
start by defining the notion of controller for transition systems: 

Definition 4. A controller for transition system T — (X, U, 5, Y, O) is a set- 
valued map C : X — > 2 U such that C(x) C Enab(x), for all x £ X . The domain 
of C is the set dom(C) = {x G X\ C{x) ^ 0}. The dynamics of the controlled 
system is described by the transition system T/C = (X,U,Sc,Y,0) where the 
transition map is given by x 1 £ Sc{x, u) if and only ifu£ C(x) and x' G S(x, u). 

We would like to emphasize the fact that the controllers are set-valued maps, 
at a given state x it enables a set of admissible inputs C(x) C U. A controller 
essentially executes as follows. The state x of T is measured, an input u G C{x) 
is selected and actuated. Then, the system takes a transition x' G S(x, u). The 
blocking states of T/C are the elements of X \ dom(C). Given a subset X' C X, 
we denote C{X') = \J xeX ,C(x). 
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3.1. Safety controllers 

Let Ys C Y be a set of outputs associated with safe states. We consider the 
safety synthesis problem that consists in determining a controller that keeps the 
output of the system inside the specified safe set Ys. 

Definition 5. Let Ys C Y be a set of safe outputs. A controller C is a safety 
controller for T = (X, U, S, Y, O) and specification Ys if for all x £ dom(C): 



2. Vu £ C(x), S(x,u) C dom(C) (deadend freedom). 

It is easy to verify from the previous definition that for any initial state x° G 
dom(C), the controlled system T/C will never reach a blocking state (because of 
the deadend freedom condition) and its outputs will remain in the safe set Ys 
forever (because of the safety condition). 

We now consider the problem of synthesizing a safety controller for T T (S) 
describing the sampled dynamics of the switched system S. Let us consider a 
safety specification given by a compact set Ys C R n . We shall use a method 
developed in [llj for synthesizing safety controllers for transition systems using 
approximately bisimilar abstractions. Let us define the e-contraction of Yg as 



Cont £ (r s ) = {ye Y s \ Vy' G R", \\y - y'\\ < e y' G Y s } . 

Theorem 2. Let JC e : [R™]^ — > 2 P be a safety controller for the symbolic model 
T T)T? (S) and specification Cont e (Ys) . Let JC : [M n ]^ — > 2 P be given for q € [R n ]r/ 
by 



Then, the map C : R" — > 2 P given by C = K,oQ v is a safety controller for T T (S) 
and specification Ys. 

PROOF. By Theorem 1 in llj, we have that C : R n ->• 2 P given by C(x) = 
tC e (R. e (x)) is a safety controller for T r (S) and specification Fg. Then, using the 
fact that lZ e (x) = TZ e (Q r) (x)) we obtain C = JC o Q v . ■ 

It is to be noted that since Ys is compact, the set of states of the symbolic 
model T T:?7 (£) with associated outputs in Cont e (Ts) is finite. As a consequence, 
the synthesis of the safety controller JC e can be done by a simple fixed-point 
algorithm which is guaranteed to terminate in a finite number of steps (see 
e -g- HH] for details). 

Let us remark that the only non-trivial values of C(x) are for x € Ys since 
from a state x ^ Ys, the safety specification cannot be met and therefore C(x) = 
0. Hence, it is only necessary to compute /C on Q^(Ts) which is finite since Ys 
is a compact subset of R n . Hence, it is possible to entirely pre-compute offline 
the discrete map JC. Then, for a state x £ R n the computation of the inputs 
enabled by C only requires quantizing the state x and evaluating JC(Q v (x)). 
Thus, Theorem[2] gives an effective way to compute a quantized safety controller 
for T T (£). Moreover, as shown in [11], it is possible to give guarantees on the 



1. 0{x) G Y s (safety); 




(3) 
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distance between the synthesized controller C and the most permissive controller 
for the safety specification Ys- 

Let us now discuss the complexity of the synthesized controller. The on- 
line execution time of the controller defined in Theorem [2] is in 0(n) (cost of 
a quantization) and does not depend on the state space sampling parameter r\. 
However, the memory space needed to store naively the control law (that is the 
map fC) is proportional to the number of states in Q v (Ys), that is 0(r]~ n ) which 
can be quite large in practice. In comparison, using the approximate bisimu- 
lation relation given in [7] and Theorem 1 in ([11]). the synthesized controller 
would have been given by 

C(x) = |J K s tf). 

g'e[R»]„, V(x,q>)<a(e) 

It is to be noted that the continuous state x is not quantized and therefore the 
union cannot be computed offline for all possible values of x as previously but 
has to be computed online. In practice, the number of elements q' € [K™]^ such 
that V(x, q') < a(e) is in 0((e/i]) n ) which can be quite large. Also the memory 
space needed for the storage of the map IC e is also in 0(n~ n ). Hence, we can 
see that our new approximation result allows us to synthesize controllers with 
smaller execution time and comparable memory usage. 

3.2. Reachability controllers 

Let Ys C Y be a set of outputs associated with safe states, let Yr Q Ys 
be a set of outputs associated with target states. We consider the reachability 
synthesis problem that consists in determining a controller steering the output of 
the system to Yr while keeping the output in Ys along the way. For simplicity, 
we assume that the transition systems we consider are non-blocking. Let us 
remark that this is the case for transitions systems T r (£) and T T) ^(S) considered 
in this paper. 

Definition 6. Let C be a controller for T = (X, U, S, Y, O) such that for all x £ 
X, C(x) ^ 0. The entry time ofT/C from i°el for reachability specification 
(Ys,Yx) is the smallest N G N such that for all state trajectories ofT/C, of 
length N and starting from x° , (x° , u°), (x 1 , it 1 ), . . . , (i^ 1 , u 1 ^^ 1 ), (x , u N ), 
there exists K € {0, . . . , N} such that 

1. V*G{0,...,Jf}, 0(x k )eY s ; 

2. 0(x K ) e Y T . 

The entry time is denoted by J(T/C,Y s ,Y tj x°). If such a N G N does not exist, 
then we define J(T/C,Ys,Yj' J x ) = +oo. 

It is clear from the previous definition that for any initial state x with fi- 
nite entry time, the outputs of the controlled system T/C will remain in the 
safe set Ys until one output eventually reaches the target set Yp in a num- 
ber of transitions bounded by J(T/C,Ys,Yr,x°). Hence, for those states, the 
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reachability specification is met. It should be noted that for all x° G X, 
J(T/C,Y s ,Y T ,x°) = if and only if O(x ) G Y T and that for all x° G X 
such that O{x ) £ Y s , J{T/C 7 Y S ,Y T , x°) = +00. Also for all x G X, such that 
< J(T/C, Y$,Y T , x) < +00, it is easy to show that 

J(T/C,Y s ,Y T ,x) = l+ max J(T/C,Y s ,Y T ,x'). (4) 

uGC(x) ,x f GS (x.u) 

We now consider the problem of synthesizing a reachability controller for 
T T (E) describing the sampled dynamics of the switched system E. Let us con- 
sider a reachability specification given by compact sets Yg C M.™ and Fj C y s . 

Theorem 3. Let K. e : [M. n ] v — > 2 P be a controller for the symbolic model 
r TiTJ (E), let the map K. : [M.%, ->• 2 P be given for q G [R n ],, by^\ 

K(q) =K e (arg min J(T T ,,(S)//C £ , Confers), <7on4(F T ), <z') ] . (5) 
\ / 

Then, the map C : R™ — > 2 P given by C = JC o satisfies for all x G K™ : 

J(T T (E)/C,y S) y T)a; ) < J(Q,(a;)) (6) 

where J : [R"] r; — > N ?s i/ie map given for q G [R™]^ &?/ 

J(g)= min J{T TtV {Y)/K, e , Cont e (Y s ), Conte(Y T ),q'). 
q'eiz E (q) 

Proof. By Theorem 3 in [TT], we have that C : K" — > 2 P given by 

C(aj) = /C e ( arg min J{T T „{Y,)/K e , Cont e {Y s ), Cont e (F T ), (7) 
\ g'e7?, e (x) y 

satisfies 

J(T T (Z)/C,Y s ,Y Tl x) < min J(T T)?7 (E)//C e , Cont e (Y g ), Cont e (Y T ), </)• (8) 

«'e72. e (x) 

Then, using the fact that lZ £ (x) — TZ e (Qri( x )), equation ^ gives C — JC o Q J; 
and equation ([8]) gives ([6]). ■ 

Similarly to safety controllers, the synthesis of a reachability controller JC e 
for the symbolic model T T r; (E) can be done by a simple fixed-point algorithm 
(e.g. using dynamic programming) which is guaranteed to terminate in a fi- 
nite number of steps since Ys is compact. It should be noted that we are only 
interested in the values of C(x) for x G Ys since from x £ Ys the reachabil- 
ity specification cannot be met. Hence, it is only necessary to compute JC on 



2 The function arg min is to be understood as a set-valued map: it returns the set of 
minimizers. 
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QrjiXs) which is finite since Is is a compact subset of K™. Therefore, the map 



pute a quantized reachability controller for T T (£). Moreover, it is possible to 
give guarantees on the distance between the performences of the synthesized 
controller C and the time optimal controller for the reachability specification 
(Ys,Yt) [II]- The complexity of the synthesized controller in terms of execu- 
tion time and memory consumption is similar to that of the safety controllers 
discussed in the previous section. 

4. Complexity Reduction 

We now consider the problem of representing the discrete maps K, defined in 
Theorems [2] and [3] more efficiently in order to reduce the memory space needed 
for their storage. To reduce the memory needed to store the control law, we 
will not encode the (set-valued) maps 1C but determinizations of /C. 

4-.1. Determinization of safety controllers 

We first explain our approach for safety controllers. Let K. be the map 
defined in Theorem [2] and let C = K. o Q v . 

Definition 7. A determinization of the set-valued map K, is a univalued map 
ICd : Q n (Ys) — > P such that 



If fC{q) = 0, we do not impose any constraint on the value of ICd(q). This 
will allow us to reduce further the complexity of our control law. 

Theorem 4. Let the controller C d : R" -> 2 P for T T (S) be given for all x G R" 



Then, for all state trajectories {(x l , u l )\ i = 0, . . . , N} of the controlled system 
T T (T,)/Cd such that x° G dom(C), we have Oi(x l ) £ Yg for all i = 0, . . . , N and 
if N is finite xm is a non-blocking state of 'T T (S) /Cd- 

Proof. Since C is a safety controller we have dom(C) C Y$ = dom(Cd). Let 
x G dom(C), then x £ dom(Cd) and therefore x is a non-blocking state of 
T T (E)/C d . Let p e C d (x), since JC(Q n (x)) = C{x) ^ 0, Definition [7] implies that 
p = JCd{Q v (x)) € K(Q n (x)) = C(x). Since C is a safety controller, it follows that 
x' = S\(x,p) € dom(C). From the previous discussion, it follows by induction 
that for all i = 0, . . . , N, x l 6 dom(C). Moreover, if N is finite x n is a non- 
blocking state of T T (T,)/Cd- Finally, since C is a safety controller, x % € dom(C) 
gives O x {x i ) G Y s for all i = 0, . . . , N. ■ 




Vg G Q n (Ys), K{q) ? K d (q) G K(q). 



by 




{>Cd(Q v (x))} ifxeY s 
otherwise. 
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Let us remark that the controller C d is generally not a safety controller for 
T T (S) and specification Y$ in the sense of Definition [5] because there might 
be states in dom(Cd) for which the safety specification is not met. However, 
the previous result shows that for an initial state a; G dom(C), the controlled 
system T T {Y,)/Cd will never reach a blocking state and its outputs will remain 
forever in the safe set Yg- 

4-2. Determinization of reachability controllers 

We now do a similar work for reachability controllers. Let /C and J be the 
maps defined in Theorem [3] and let C = JC o Q v . 

Definition 8. A determinization of the set-valued map K, is a univalued map 
fcd '■ Qii(Ys) — > P such that 

Vq G Q V (Y S \ Y T ), J(q) <C +oo =>■ K d {q) G £(<?)• 

If J(q) = +oo, or if q (£ Q V (Y$ \ Yp), we do not impose any constraint on 
the value of lCd{q)- This will allow us to reduce further the complexity of our 
control law. 

Theorem 5. Let the controller C d : R n -> 2 P for T T (S) be given for all x € R n 
by 

C(x) = l ^(Q v (x))} ifx^Y s \Y T 
d \ P otherwise. 

Then, for all i£l", 

J(T T (Z)/C d ,Y s ,Y T ,x) < J(Q v (x)). (9) 
Proof. If x £ Y s , it follows that J(T T (Y,)/C d ,Y s ,Y T ,x) = +oo and that 



J(T T (E)/C,Ys,Yr, x) = +oo. Then, equation 
holds. If x G Ys and J(Q v {x)) — +oo then (19) 
remaining case is x G Ys and J(Q v (x)) < +oo. We now proceed by induction 
to show that 



6|) gives J(Q, q (x)) = +oo and (|9| 
clearly holds as well. The only 



J(T T (Z)/Cd,Y s ,Y T ,x) < J{T T (Z)/C,Y s ,Y T ,x) (10) 

which together with equation ^ gives The induction is on the value of 
J{T T {Z)/C d ,Y s ,Y T ,x). Let x be such that J(T T (E)/C d ,Y s ,Y T ,x) = 0, then 
x G Yt and J(T T (E)/C,Ys,Yr,x) = as well. Let us assume that there exists 
N G N such that for all a; such that J(T T (E)/C d ,Y s ,Y T ,x) < N, equation p0| 
holds. We have shown that it is satisfied for N = 0. Then, let a: such that 
J(r r (E)/C d ,y s ,y T ,a;) = N + l. Then, we have < J(T T (E)/C d , Y s , Y T , x) < 
+oo which implies that x G Ys \ Yr- Moreover, since J(Q v (x)) < +oo, we have 
by Definition [8] and by construction of C d , that C d (x) C C(a;). Let p G Cd(a;) and 
x' G 5i(x,p), then equation Q gives that J(T T (T,)/C d , Y s , Y T , x 1 ) < N. Then, 
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the induction assumption gives J{T T (T,)/C d ,Y s ,Y T ,x') < J(T T (E)/C,Y s ,Y T ,x'). 
Then, equation Q yields 

J{T r {Z)/C dl Y s ,Y T ,x) = 1+ max J(T T (Z)/C d ,Y s ,Y T ,x') 

< 1+ max J(T T (Z)/C,Y s ,Y T ,x') 

pGCd(x),x' G<S(x,p) 

< 1+ max J(T T (E)/C,y s ,r T ,a:') 

< J(T r (S)/C,y Ss y T ,a;). 
This completes the induction. ■ 

The previous result essentially states that using the controller C d , the reacha- 
bility specification will be met for all initial states x° £ Ys, such that J(Q v (x)) < 
+oo. Moreover, equation (10) shows that from those initial states, the entry 
time using the controller C d cannot be larger than the entry time using the 
controller C. 



4-3. Efficient representation using algebraic decision diagrams 

We now consider the problem of choosing an appropriate determinization 
JC d of JC and a representation which requires little memory for its storage. We 
explain our approach for safety controllers but it can be straightforwardly ex- 
tended to handle reachability controllers as well. A natural representation for 
K d would be to use an array which would require 0(rj~ n ) memory space. We 
propose a more efficient representation inspired by algebraic decision diagrams 
(ADD's). The main idea is to use a tree structure which exploits redundant in- 
formation to represent the map in a more compact way. Also in our case, when 
IC(q) is empty or when it has more than 2 elements, we have some flexibility for 
the choice of IC d (q) which can be used to reduce the size of the representation. 

The proposed method for choosing K, d essentially works as follows: if there 
exists p £ P such that for all q £ Q v {Ys), K.(q) = or p £ K(q), we can choose 
JC d to be the map with constant value p on Q v (Ys). The memory space needed 
to store JC d is then O(l). If such an input value does not exists, then we can 
split (typically using a hyperplane) the set Q v {Xs) into 2 subsets of similar sizes. 
This process can then be repeated iteratively: we try to find a suitable constant 
value on each of the subsets and if this is not possible these sets can be split 
further. 

In Figure [TJ we show an example of representation using a tree structure of 
a determinization of a set-valued map K : {1,2,3,4} 2 — > 2 P where P = {0, 1}. 
We cannot find a suitable constant value on the whole set {1,2,3,4} 2 . Thus, 
it is split into two subsets {1,2} x {1,2,3,4} and {3,4} x {1,2,3,4}. For q £ 
{1,2} x {1,2,3,4} we can choose K d {q) = 0. On {3,4} x {1,2,3,4}, there is 
no suitable value. This set is split further into the subsets {3,4} x {1,2} and 
{3,4} 2 . For q £ {3,4} 2 , we can choose fC d (q) = 1. On {3,4} x {1,2}, there is 
no suitable value and this set has to be split futher... By repeating this process, 
we obtain the determinization K. d represented by the tree structure in Figure [TJ 
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Figure 1: A set valued map K. : {1,2,3,4} 2 — ► 2 P where P = {0, 1} and a determinization 
given by colors (dark gray for 1, light gray for 0) and its representation using a tree structure. 



Remark 1. For reachability controllers, the approach is essentially the same 
except that for all region in our partition there must be a mode p € P such that 
for all q in the region J(q) = +oo or q ^ Q n (Ys \ Y T ) or p G JC(q). 

Using this representation for the determinization ICd, the online execution 
time of the controller Cd is given by the longest path in the tree which is in 
0{— n log(r/)). This is a little bit more than the controller C. The memory space 
needed to store the control law is given by the number of nodes in the tree which 
is 0(ri~ n ), in the worst case. However, in practice, we can expect much less as 
an example will show in the next section. 

Finally, we would like to mention that the use of ADD's for representing 
control laws synthesized through symbolic models has already been considered 
in |16j . However, as far as we know, the idea of determinizing controllers in such 
a way that their determinization reduces the memory needed for its storage is 
new. 



5. Example 

For illustration purpose, we consider a simple thermal model of a two-room 
building (see e.g [12]): 

( Ti = a2i(T2-T 1 ) + a e i(T e -Ti) + af(Tf-Ti)p 
\ T 2 = ai 2 (Ti - T 2 ) + a e2 (T e - T 2 ) 

where T\ and T 2 denote the temperature in each room, T e = 10 is the external 
temperature and Tf stands for the temperature of a heating device which can 
switched on (p = 1) or off (p = 0). The system parameters are chosen as follows 
a 2 i = a>u = 5 x 1CT 2 , a e i = 5 x 1CT 3 , a e2 = 3.3 x 1CT 3 and a s = 8.3 x 10~ 3 . 
Let T — (Ti, T 2 ) T , then the system can be written as a switched affine system 
of the form 

E : T(t) = A p(t) T(t) + 6 p(t) , p(t) eP = {0, 1}. 
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Figure 2: Left: Set-valued map K. : Qr/(Ys) - > 2 P (white: 0, light gray: {1}, medium 
gray: P, dark gray: {0}). The number of elements in Q v (Ys) ls about 1 million. In blue, 
we represented the partition used for the representation of ICd, a determinization of K; the 
resulting tree structure has only 27 nodes. Right: Determinization K,d of the map K shown on 
the left (light gray: 1, dark gray: 0). In blue, a trajectory of the switched system controlled 
using the controller d = fCd o Q^. 



It is easily to verify that the function V : R 2 x M 2 — > R+ given by V(T,T') = 
\\T — T'\\ is a 5-GUAS Laypunov function for E with a(r) — a(r) = r and 
k = 0.0042. Moreover, equation ([!]) holds with -f(r) — r. 

We first consider the problem of keeping the temperature in the rooms be- 
tween 20 and 22 degrees Celsius. This is a safety property specified by the safe 
set Y s = [20, 22] 2 . We want to use a periodic controller with a period of r = 5 
time units. For the synthesis of the controller, we shall use an approximately 
bisimilar symbolic abstraction of T T (E) of precision e — 0.25. According to 
equation ([2]), we can choose a state-space sampling parameter r] = 0.0014 for 
the computation of the symbolic abstraction T Tj ^(E). 

We computed a safety controller JC £ for the symbolic abstraction T Tjr) (E) 
and the specification Cont £ (Ys) = [20.25, 21. 75] 2 . Then, we computed the map 
K given by equation (pBj), which is shown in the left part of Figure [2] Then, 
according to Theorem |2l the controller C = fC o Q v is a safety controller for 
T r (E) and specification Yg. For a practical implementation of the controller, 
the storage of the map K, represented by an array would require about 1 million 
memory units (this is the number of elements in Qn{Ys))- We computed a de- 
terminization K-d of K, following the approach described in the previous section. 
In Figure [2j we show the partition used for the representation of ICd, it is to be 
noted that in each region all values of K. are either 0, {0}, P (which corresponds 
to value for ICd) or 0, {1}, P (which corresponds to value 1 for ICd)- The map 
ICd is represented in the right part of Figure [2] where we have also represented 
a trajectory of the switched system controlled using the controller Cd- For a 
practical implementation of the controller, the storage of the map ICd repre- 
sented by a tree structure only requires 27 memory units (this is the number of 
nodes in the tree). We can see with this example that a lot of memory can be 
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Figure 3: Left: Set-valued map K, : Qtj(Xs) % p (light gray: {1}, medium gray: P, dark 
gray: {0}, white: J(q) = +00, black: q £ Qr)(Xs \ V7 )). The number of elements in Q V (Y,$) 
is about 1 million. In blue, we represented the partition used for the representation of /Cjj, 
a determinization of K\ the resulting tree structure has 2249 nodes. Right: Determinization 
Kd of the map K shown on the left (light gray: 1, dark gray: 0). In blue, a trajectory of the 
switched system controlled using the controller d = K-d Qri- 



saved using an efficient representation and by determinizing the controllers in 
such a way that their determinization can be represented in a more compactly. 
Guarantees of safety for these controllers are still available by Theorem [4] which 
gives insurance of "correctness by design" . 

We now consider the problem of setting the temperature in the rooms be- 
tween 20 and 22 degrees Celsius while keeping it between 17.5 and 22.5 along the 
way. This a reachability specification with Y s = [17.5, 22. 5] 2 and Y T — [20, 22] 2 . 
For the synthesis of the controller, we shall use an approximately bisimilar sym- 
bolic abstraction of T T (E) of precision e = 0.5. According to equation (J2j) , we 
can choose a state-space sampling parameter r\ — 0.0049 for the computation of 
the symbolic abstraction T TjI) (E). 

We computed a reachability controller JC e for the symbolic abstraction T Tj7/ (E) 
and the specification Cont £ (F s ) = [18, 22] 2 , Cont e (F T ) = [20.5, 21. 5] 2 . Then, 
we computed the map AC given by equation |5]), which is shown in the left part 
of Figure [3j For a practical implementation of the controller, the storage of the 
map K, represented by an array would require about 1 million memory units. 

We computed a determinization JCd of K. following the approach described 
in the previous section. In Figure [3j we show the partition used for the repre- 
sentation of JCd- The map fCd is represented in the right part of Figure [2] where 
we have also represented a trajectory of the switched system controlled using 
the controller Cd- For a practical implementation of the controller, the storage 
of the map K-d represented by a tree structure only requires 2249 memory units 
(this is the number of nodes in the tree). Though the compression is not as 
spectacular as in the previous example 2249 is still much less than 1 million. 
Morover, Theorem [5] gives insurance of "correctness by design". 
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6. Conclusion 

In this paper, we have addressed the problem of synthesizing low-complexity 
quantized controllers for switched systems for safety and reachability specifica- 
tions. By following a rigorous approach based on the use of symbolic models 
we obtain controllers that are correct by design. Determinization of the safety 
controllers together with an adequate data structure can reduce drastically the 
memory needed to store the control law and can lead to quantized controllers 
that can be efficiently implemented in practice. 

In future work, we should address the problem of synthesizing low-complexity 
controllers using other types of symbolic models such as multi-scale symbolic 
models introduced in [18]. 
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